[Devel] [PATCH RH7] net: allow SO_RCVBUFFORCE with CAP_VE_NET_ADMIN

Pavel Tikhomirov ptikhomirov at odin.com
Fri Jul 10 10:35:24 PDT 2015


Allowing this is not secure, surely. We have two other possibilities:

1) increase default socket receive buffer size
2) decrease number of tty devices in CT, we have ~500 of them while in PCS6 only 12.

Best regards, Tikhomirov Pavel
Junior Software Developer, Odin

________________________________________
От: devel-bounces at openvz.org <devel-bounces at openvz.org> от имени Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Отправлено: 10 июля 2015 г. 17:27
Кому: devel at openvz.org; Andrey Vagin
Тема: [Devel] [PATCH RH7] net: allow SO_RCVBUFFORCE with CAP_VE_NET_ADMIN

allows overriding of sysctl rmem_max limit for socket receive buffer in
CT, need it to start udevd in Centos6 CTs without NET_ADMIN capability.
https://jira.sw.ru/browse/PSBM-34741

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 net/core/sock.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/sock.c b/net/core/sock.c
index 03f4b23..f1a99a5 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -722,7 +722,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
                break;

        case SO_RCVBUFFORCE:
-               if (!capable(CAP_NET_ADMIN)) {
+               if (!capable(CAP_NET_ADMIN) && !capable(CAP_VE_NET_ADMIN)) {
                        ret = -EPERM;
                        break;
                }
--
1.9.3

_______________________________________________
Devel mailing list
Devel at openvz.org
https://lists.openvz.org/mailman/listinfo/devel




More information about the Devel mailing list